Windows 8/8.1 Security Technical Implementation Guide

Checks: C-44752r1_chk

Verify user workstations containing sensitive data are in access-controlled areas. Users must maintain control of, and protect, mobile systems. If systems are not adequately protected, this is a finding.

Fix: F-41152r1_fix

Establish site policy that ensures workstations containing sensitive data are located inside a controlled access area. Establish a policy on protecting mobile systems outside of controlled areas.

Checks: C-44753r3_chk

Determine if any shared accounts exist. If no shared accounts exist, this is NA. Any shared account must be documented with the ISSO. Documentation must include the reason for the account, who has access to this account, and how the risk of using a shared account (which provides no individual identification and accountability) is mitigated. If such documentation does not exist, or is not current, this is a finding. Note: As an example, a shared account may be permitted for a help desk or a site security personnel machine, if that machine is standalone and has no access to the network.

Fix: F-41153r1_fix

Create or update shared accounts documentation that minimally contains the name of the shared account(s), the system(s) on which the accounts exist, and the individuals who have access to the accounts. Remove any shared accounts that do not meet the requirements.

Checks: C-44760r3_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies >> Security Options. If the value for "Interactive Logon: Message text for users attempting to log on" is not set to the following, this is a finding: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: LegalNoticeText Value Type: REG_SZ Value: See message text above

Fix: F-41160r2_fix

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive Logon: Message text for users attempting to log on" to the following. You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details.

Checks: C-44764r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Account Policies -> Account Lockout Policy. If the "Account lockout threshold" is "0" or more than 3 attempts, this is a finding.

Fix: F-41164r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Account Lockout Policy -> "Account lockout threshold" to "3" or less invalid logon attempts (excluding "0" which is unacceptable).

Checks: C-74311r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Account Policies >> Account Lockout Policy. If the "Reset account lockout counter after" value is less than "15" minutes, this is a finding.

Fix: F-80979r1_fix

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Reset account lockout counter after" to at least "15" minutes.

Checks: C-74309r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Account Policies >> Account Lockout Policy. If the "Account lockout duration" is less than "15" minutes (excluding "0"), this is a finding. Configuring this to "0", requiring an administrator to unlock the account, is more restrictive and is not a finding.

Fix: F-80977r1_fix

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Account Lockout Policy >> "Account lockout duration" to "15" minutes or greater. A value of "0" is also acceptable, requiring an administrator to unlock the account.

Checks: C-44768r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Account Policies -> Password Policy. If the value for the "Maximum password age" is greater than 60 days, this is a finding. If the value is set to 0 (never expires), this is a finding.

Fix: F-41168r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> "Maximum Password Age" to "60" days or less (excluding "0" which is unacceptable).

Checks: C-44769r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Account Policies -> Password Policy. If the value for the "Minimum password age" is less than one day, this is a finding.

Fix: F-41169r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> "Minimum Password Age" to at least "1" day.

Checks: C-44770r2_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Account Policies >> Password Policy. If the value for "Enforce password history" is less than "24" passwords remembered, this is a finding.

Fix: F-41170r2_fix

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Enforce password history" to "24" passwords remembered.

Checks: C-44772r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Accounts: Guest account status" is not set to "Disabled", this is a finding.

Fix: F-41172r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Accounts: Guest account status" to "Disabled".

Checks: C-44773r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Accounts: Rename guest account" is not set to a value other than "Guest", this is a finding.

Fix: F-41173r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Accounts: Rename guest account" to a name other than "Guest".

Checks: C-44774r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Accounts: Rename administrator account" is not set to a value other than "Administrator", this is a finding.

Fix: F-41174r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Accounts: Rename administrator account" to a name other than "Administrator".

Checks: C-44776r1_chk

Verify the local system boots directly into Windows. Open Control Panel. Select "System". Select the "Advanced System Settings" link. Select the "Advanced" tab. Click the Startup and Recovery "Settings" button. If the drop-down list box "Default operating system:" shows any operating system other than Windows 8, this is a finding.

Fix: F-41175r1_fix

Ensure Windows 8 is the only operating system on a device. Remove alternate operating systems.

Checks: C-44779r3_chk

The default ACL settings are adequate when the Security Option "Network access: Let Everyone permissions apply to anonymous users" is set to "Disabled" (V-3377). If the default ACLs are maintained and the referenced option is set to "Disabled", this is not a finding. Verify the default permissions for the sample directories below. Non-privileged groups such as Users or Authenticated Users must not have greater than Read & execute permissions except where noted as defaults. (Individual accounts must not be used to assign permissions.) Viewing in File Explorer: Select the "Security" tab, and the "Advanced" button. C:\ Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to Administrators - Full control - This folder, subfolders and files SYSTEM - Full control - This folder, subfolders and files Users - Read & execute - This folder, subfolders and files Authenticated Users - Modify - Subfolders and files only Authenticated Users - Create folders / append data - This folder only \Program Files Type - "Allow" for all Inherited from - "None" for all Principal - Access - Applies to TrustedInstaller - Full control - This folder and subfolders SYSTEM - Modify - This folder only SYSTEM - Full control - Subfolders and files only Administrators - Modify - This folder only Administrators - Full control - Subfolders and files only Users - Read & execute - This folder, subfolders and files CREATOR OWNER - Full control - Subfolders and files only ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files \Windows Type - "Allow" for all Inherited from - "None" for all Principal Access Applies to TrustedInstaller - Full control - This folder and subfolders SYSTEM - Modify - This folder only SYSTEM - Full control - Subfolders and files only Administrators - Modify - This folder only Administrators - Full control - Subfolders and files only Users - Read & execute - This folder, subfolders and files CREATOR OWNER - Full control - Subfolders and files only ALL APPLICATION PACKAGES - Read & execute - This folder, subfolders and files Alternately use Icacls. In a Command prompt (admin) Enter icacls followed by the directory. icacls c:\ icacls "c:\program files" icacls c:\windows The following results will be displayed as each is entered: c:\ BUILTIN\Administrators:(OI)(CI)(F) NT AUTHORITY\SYSTEM:(OI)(CI)(F) BUILTIN\Users:(OI)(CI)(RX) NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M) NT AUTHORITY\Authenticated Users:(AD) Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW) Successfully processed 1 files; Failed processing 0 files c:\program files NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) Successfully processed 1 files; Failed processing 0 files c:\windows NT SERVICE\TrustedInstaller:(F) NT SERVICE\TrustedInstaller:(CI)(IO)(F) NT AUTHORITY\SYSTEM:(M) NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F) BUILTIN\Administrators:(M) BUILTIN\Administrators:(OI)(CI)(IO)(F) BUILTIN\Users:(RX) BUILTIN\Users:(OI)(CI)(IO)(GR,GE) CREATOR OWNER:(OI)(CI)(IO)(F) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX) APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)(GR,GE) Successfully processed 1 files; Failed processing 0 files If an ACL setting prevents a site's applications from performing properly, settings must only be changed to the minimum necessary for the application to function. Each exception must be documented with the ISSO.

Fix: F-41178r1_fix

Maintain the default file ACLs and configure the Security Option: "Network access: Let everyone permissions apply to anonymous users" to "Disabled" (V-3377).

Checks: C-62017r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies >> Security Options. If the value for "Microsoft Network Client: Send unencrypted password to third-party SMB servers" is not set to "Disabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnablePlainTextPassword Value Type: REG_DWORD Value: 0

Fix: F-66913r1_fix

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Microsoft Network Client: Send unencrypted password to third-party SMB servers" to "Disabled".

Checks: C-44783r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. (See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.) If the value for "MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)" is not set to "Disabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: AutoAdminLogon Type: REG_SZ Value: 0 Severity Override: If the "DefaultName" or "DefaultDomainName" in the same registry path contain an administrator account name and the "DefaultPassword" contains a value, this is a CAT I finding.

Fix: F-41182r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (AutoAdminLogon) Enable Automatic Logon (not recommended)" to "Disabled". Ensure no passwords are stored in the "DefaultPassword" registry value noted below. Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: DefaultPassword

Checks: C-66209r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Account Policies >> Password Policy. If the value for "Password must meet complexity requirements" is not set to "Enabled", this is a finding. Note: If an external password filter is in use that enforces all 4 character types and requires this setting be set to "Disabled", this would not be considered a finding. If this setting does not affect the use of an external password filter, it must be enabled for fallback purposes.

Fix: F-41184r2_fix

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Account Policies >> Password Policy >> "Password must meet complexity requirements" to "Enabled".

Checks: C-44788r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Interactive Logon: Do not require CTRL+ALT+DEL" is not set to "Disabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: DisableCAD Value Type: REG_DWORD Value: 0

Fix: F-41187r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Interactive Logon: Do not require CTRL+ALT+DEL" to "Disabled".

Checks: C-66297r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> User Rights Assignment. If the following accounts or groups are not defined for the "Deny access to this computer from the network" right, this is a finding: Domain Systems Only: Enterprise Admins group Domain Admins group Local account (see Note below) All Systems: Guests group Systems dedicated to the management of Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG) are exempt from denying the Enterprise Admins and Domain Admins groups. Note: "Local account" is a built-in security group used to assign user rights and permissions to all local accounts.

Fix: F-71685r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Deny access to this computer from the network" to include the following. Domain Systems Only: Enterprise Admins group Domain Admins group Local account (see Note below) All Systems: Guests group Systems dedicated to the management of Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG) are exempt from denying the Enterprise Admins and Domain Admins groups. Note: "Local account" is a built-in security group used to assign user rights and permissions to all local accounts.

Checks: C-44790r3_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies >> Security Options. If the value for "Interactive logon: Smart card removal behavior" is not set to "Lock Workstation" or "Force Logoff", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ Value Name: SCRemoveOption Value Type: REG_SZ Value: 1 (Lock Workstation) or 2 (Force Logoff) This can be left not configured or set to "No action" on workstations with the following conditions. This must be documented with the ISSO. -The setting cannot be configured due to mission needs, or because it interferes with applications. -Policy must be in place that users manually lock workstations when leaving them unattended. -The screen saver is properly configured to lock as required.

Fix: F-41189r2_fix

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Interactive logon: Smart card removal behavior" to "Lock Workstation" or "Force Logoff".

Checks: C-44793r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Microsoft Network Server: Digitally sign communications (if client agrees)" is not set to "Enabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: EnableSecuritySignature Value Type: REG_DWORD Value: 1

Fix: F-41192r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Microsoft Network Server: Digitally sign communications (if Client agrees)" to "Enabled".

Checks: C-44794r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Domain Member: Digitally encrypt secure channel data (when possible)" is not set to "Enabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SealSecureChannel Value Type: REG_DWORD Value: 1 Note: If the value for "Domain Member: Digitally encrypt or sign secure channel data (always)" is set to "Enabled", this would not be a finding.

Fix: F-41193r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Domain Member: Digitally encrypt secure channel data (when possible)" to "Enabled".

Checks: C-44795r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Domain Member: Digitally sign secure channel data (when possible)" is not set to "Enabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: SignSecureChannel Value Type: REG_DWORD Value: 1 Note: If the value for "Domain Member: Digitally encrypt or sign secure channel data (always)" is set to "Enabled", this would not be a finding.

Fix: F-41194r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Domain Member: Digitally sign secure channel data (when possible)" to "Enabled".

Checks: C-44797r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Microsoft Network Client: Digitally sign communications (if server agrees)" is not set to "Enabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: EnableSecuritySignature Value Type: REG_DWORD Value: 1

Fix: F-41196r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Microsoft Network Client: Digitally sign communications (if server agrees)" to "Enabled".

Checks: C-44798r3_chk

Review the Backup Operators group in Computer Management. If the group contains any accounts, this must be documented with the ISSO. Any accounts that are members of the Backup Operators group must be documented, including application accounts. Users with accounts in the Backup Operators group will have a separate user account for backup functions and for performing normal user tasks. If the group contains no accounts, this is not a finding. If any of the following conditions are true, this is a finding: -Each Backup Operator does not have a unique userid dedicated to the backup function. -Each Backup Operator does not have a separate account for normal user tasks. -The ISSO does not maintain a list of users belonging to the Backup Operators group.

Fix: F-41197r2_fix

Create the necessary documentation that identifies the members of the Backup Operators group, to be maintained with the ISSO. Create separate accounts for backup operations for users with this privilege. Create separate accounts for normal user functions for users with this privilege.

Checks: C-44799r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Devices: Allowed to Format and Eject Removable Media" is not set to " Administrators", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows NT\CurrentVersion\Winlogon Value Name: AllocateDASD Value Type: REG_SZ Value: 0

Fix: F-41198r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Devices: Allowed to Format and Eject Removable Media" to "Administrators".

Checks: C-44806r1_chk

Open the Computer Management Console. Expand the "System Tools" object in the Tree window. Expand the "Shared Folders" object. Select the "Shares" object. Right click any non-system-created shares (the system will prompt you if Properties are selected for system-created shares). Select Properties. Select the Share Permissions tab. Verify the necessity of any shares found. If the file shares have not been reconfigured to restrict permissions to the specific groups or accounts that require access, this is a finding. Select the Security tab. If the NTFS permissions have not been reconfigured to restrict permissions to the specific groups or accounts that require access, this is a finding.

Fix: F-41205r1_fix

If a share is required on a system, configure the share and NTFS permissions to limit access to the specific groups or accounts that require it. Remove any unnecessary non-system created shares.

Checks: C-44815r2_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Domain Member: Require Strong (Windows 2000 or Later) Session Key" is not set to "Enabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireStrongKey Value Type: REG_DWORD Value: 1 Warning: This setting may prevent a system from being joined to a domain if not configured consistently between systems.

Fix: F-41214r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Domain Member: Require Strong (Windows 2000 or Later) Session Key" to "Enabled".

Checks: C-44817r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Network access: Do not allow storage of passwords and credentials for network authentication" is not set to "Enabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: DisableDomainCreds Value Type: REG_DWORD Value: 1

Fix: F-41216r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Do not allow storage of passwords and credentials for network authentication" to "Enabled".

Checks: C-44818r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Network access: Let everyone permissions apply to anonymous users" is not set to "Disabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: EveryoneIncludesAnonymous Value Type: REG_DWORD Value: 0

Fix: F-41217r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Let everyone permissions apply to anonymous users" to "Disabled".

Checks: C-44819r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Network access: Sharing and security model for local accounts" is not set to "Classic - local users authenticate as themselves", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: ForceGuest Value Type: REG_DWORD Value: 0

Fix: F-41218r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network access: Sharing and security model for local accounts" to "Classic - local users authenticate as themselves".

Checks: C-44821r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Network security: Force logoff when logon hours expire" is not set to "Enabled", this is a finding.

Fix: F-41220r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: Force logoff when logon hours expire" to "Enabled".

Checks: C-44822r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Network security: LDAP client signing requirements" is not set to at least "Negotiate signing", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LDAP\ Value Name: LDAPClientIntegrity Value Type: REG_DWORD Value: 1

Fix: F-41221r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: LDAP client signing requirements" to "Negotiate signing" at a minimum.

Checks: C-44823r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" is not set to "Require NTLMv2 session security" and "Require 128-bit encryption", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinClientSec Value Type: REG_DWORD Value: 0x20080000 (537395200) "Require NTLMv2 session security" will prevent authentication, if the "Network security: LAN Manager Authentication level" is set to permit NTLM or LM authentication.

Fix: F-41222r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: Minimum session security for NTLM SSP based (including secure RPC) clients" to "Require NTLMv2 session security" and "Require 128-bit encryption" (all options selected).

Checks: C-44824r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" is not set to "Enabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\FIPSAlgorithmPolicy\ Value Name: Enabled Value Type: REG_DWORD Value: 1 Warning: Clients with this setting enabled will not be able to communicate via digitally encrypted or signed protocols with servers that do not support these algorithms. Both the browser and web server must be configured to use TLS, or the browser will not be able to connect to a secure site.

Fix: F-41223r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing" to "Enabled".

Checks: C-60905r2_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies >> Security Options. If the value for "System Objects: Require case insensitivity for non-Windows subsystems" is not set to "Enabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\ Value Name: ObCaseInsensitive Value Type: REG_DWORD Value: 1

Fix: F-65637r2_fix

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "System Objects: Require case insensitivity for non-Windows subsystems" to "Enabled".

Checks: C-44827r2_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fPromptForPassword Type: REG_DWORD Value: 1

Fix: F-41225r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security -> "Always prompt for password upon connection" to "Enabled".

Checks: C-44828r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: MinEncryptionLevel Type: REG_DWORD Value: 3

Fix: F-41226r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security -> "Set client connection encryption level" to "Enabled" and "High Level".

Checks: C-44829r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: PerSessionTempDir Type: REG_DWORD Value: 1

Fix: F-41228r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Temporary Folders -> "Do not use temporary folders per session" to "Disabled".

Checks: C-44831r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: DeleteTempDirsOnExit Type: REG_DWORD Value: 1

Fix: F-41230r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Temporary Folders -> "Do not delete temp folder upon exit" to "Disabled".

Checks: C-44837r1_chk

Review the registry. If the following registry value does not exist, this is not a finding (This is the expected result from configuring the policy as outlined in the Fix section). If the following registry value exists but is not configured as specified, this is a finding. Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Microsoft\Windows\CurrentVersion\Policies\system\ Value Name: DisableBkGndGroupPolicy Type: REG_DWORD Value: 0

Fix: F-41236r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Group Policy -> "Turn off background refresh of Group Policy" to "Disabled".

Checks: C-44840r3_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fAllowUnsolicited Type: REG_DWORD Value: 0 Offer remote assistance may be enabled on workstations if mitigations are in place. This must be documented with the ISSO.

Fix: F-41251r2_fix

Configure the policy value for Computer Configuration >> Administrative Templates >> System >> Remote Assistance >> "Configure Offer Remote Assistance" to "Disabled".

Checks: C-44843r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. (See "Updating the Windows Security Options File" in the STIG Overview document if MSS settings are not visible in the system's policy tools.) If the value for "MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)" is not set to "Enabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Session Manager\ Value Name: SafeDllSearchMode Value Type: REG_DWORD Value: 1

Fix: F-41254r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "MSS: (SafeDllSearchMode) Enable Safe DLL search mode (recommended)" to "Enabled".

Checks: C-44844r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\WindowsMediaPlayer\ Value Name: DisableAutoupdate Type: REG_DWORD Value: 1

Fix: F-41255r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Media Player -> "Prevent Automatic Updates" to "Enabled".

Checks: C-44845r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Subkey: \Software\Policies\Microsoft\WindowsMediaPlayer\ Value Name: PreventCodecDownload Type: REG_DWORD Value: 1

Fix: F-41256r1_fix

Configure the policy value for User Configuration -> Administrative Templates -> Windows Components -> Windows Media Player -> Playback -> "Prevent Codec Download" to "Enabled".

Checks: C-44846r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" is not set to "Require NTLMv2 session security" and "Require 128-bit encryption", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\MSV1_0\ Value Name: NTLMMinServerSec Value Type: REG_DWORD Value: 0x20080000 (537395200) "Require NTLMv2 session security" will prevent authentication if "Network security: LAN Manager Authentication level" is set to permit NTLM or LM authentication.

Fix: F-41257r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network security: Minimum session security for NTLM SSP based (including secure RPC) servers" to "Require NTLMv2 session security" and "Require 128-bit encryption" (all options selected).

Checks: C-45196r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fEncryptRPCTraffic Type: REG_DWORD Value: 1

Fix: F-41666r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Security "Require secure RPC communication" to "Enabled".

Checks: C-44856r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Windows\Group Policy\{35378EAC-683F-11D2-A89A-00C04FBBCFA2} Value Name: NoGPOListChanges Type: REG_DWORD Value: 0

Fix: F-41267r2_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Group Policy -> "Configure registry policy processing" to "Enabled" and select the option "Process even if the Group Policy objects have not changed".

Checks: C-44857r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Domain Member: Digitally encrypt or sign secure channel data (always)" is not set to "Enabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\Netlogon\Parameters\ Value Name: RequireSignOrSeal Value Type: REG_DWORD Value: 1

Fix: F-41268r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Domain Member: Digitally encrypt or sign secure channel data (always)" to "Enabled".

Checks: C-44858r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Microsoft Network Client: Digitally sign communications (always)" is not set to "Enabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanmanWorkstation\Parameters\ Value Name: RequireSecuritySignature Value Type: REG_DWORD Value: 1

Fix: F-41269r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Microsoft Network Client: Digitally sign communications (always)" to "Enabled".

Checks: C-44859r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Microsoft Network Server: Digitally sign communications (always)" is not set to "Enabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Services\LanManServer\Parameters\ Value Name: RequireSecuritySignature Value Type: REG_DWORD Value: 1

Fix: F-41270r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Microsoft Network Server: Digitally sign communications (always)" to "Enabled".

Checks: C-44861r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Account Policies -> Password Policy. If the value for the "Minimum password length," is less than 14 characters, this is a finding.

Fix: F-41299r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Account Policies -> Password Policy -> "Minimum password length" to at least "14" characters.

Checks: C-44862r2_chk

Run the DUMPSEC utility. Select "Dump Users as Table" from the "Report" menu. Select the following fields, and click "Add" for each entry. UserName SID PswdExpires AcctDisabled Groups If any accounts have "No" in the "PswdExpires" column, this is a finding. The following are exempt from this requirement: Application Accounts Accounts that meet the requirements for allowable exceptions must be documented with the ISSO.

Fix: F-41300r2_fix

Configure all passwords to expire. Ensure "Password never expires" is not checked on all accounts in Computer Management, Local Users and Groups. Document any exceptions with the ISSO.

Checks: C-44865r3_chk

Determine if there is a contingency for administering a non-domain system with limited administrators. An emergency administrator account must be documented with the ISSO, and it must be stored with its password in a secure location. If there is no contingency for administering a system in an emergency, this is a finding.

Fix: F-41303r2_fix

Create a contingency plan for administering a system. Document any emergency administrator account with the ISSO and store the account information in a secure location.

Checks: C-44866r1_chk

Determine if the site has a policy that requires the default and emergency admin passwords to be changed at least annually or when any member of the administrative team leaves the organization. If there is no policy, this is a finding.

Fix: F-41304r1_fix

Define a policy that requires the default and emergency administrator passwords to be changed at least annually or when any member of the administrative team leaves the organization. Ensure the policy is implemented.

Checks: C-44867r3_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Audit: Audit the access of global system objects" is not set to "Disabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa Value Name: AuditBaseObjects Value Type: REG_DWORD Value: 0

Fix: F-41305r2_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Audit: Audit the access of global system objects" to "Disabled".

Checks: C-44868r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Audit: Audit the use of Backup and Restore privilege" is not set to "Disabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa Value Name: FullPrivilegeAuditing Value Type: REG_BINARY Value: 0

Fix: F-41306r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Audit: Audit the use of Backup and Restore privilege" to "Disabled".

Checks: C-44869r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" is not set to "Enabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \System\CurrentControlSet\Control\Lsa\ Value Name: SCENoApplyLegacyAuditPolicy Value Type: REG_DWORD Value: 1

Fix: F-41307r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings" to "Enabled".

Checks: C-44872r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "User Account Control: Admin Approval Mode for the Built-in Administrator account" is not set to "Enabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: FilterAdministratorToken Value Type: REG_DWORD Value: 1

Fix: F-41310r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Admin Approval Mode for the Built-in Administrator account" to "Enabled".

Checks: C-44873r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" is not set to "Prompt for consent on the secure desktop", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorAdmin Value Type: REG_DWORD Value: 2 (Prompt for consent on the secure desktop)

Fix: F-41311r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode" to "Prompt for consent on the secure desktop".

Checks: C-72727r2_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies >> Security Options. If the value for "User Account Control: Behavior of the elevation prompt for standard users" is not set to "Automatically deny elevation requests", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ConsentPromptBehaviorUser Value Type: REG_DWORD Value: 0x00000000 (0)

Fix: F-78891r1_fix

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "User Account Control: Behavior of the elevation prompt for standard users" to "Automatically deny elevation requests".

Checks: C-44876r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "User Account Control: Detect application installations and prompt for elevation" is not set to "Enabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableInstallerDetection Value Type: REG_DWORD Value: 1

Fix: F-41333r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Detect application installations and prompt for elevation" to "Enabled".

Checks: C-44877r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "User Account Control: Only elevate UIAccess applications that are installed in secure locations" is not set to "Enabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableSecureUIAPaths Value Type: REG_DWORD Value: 1

Fix: F-41334r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Only elevate UIAccess applications that are installed in secure locations" to "Enabled".

Checks: C-44878r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "User Account Control: Run all administrators in Admin Approval Mode" is not set to "Enabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableLUA Value Type: REG_DWORD Value: 1

Fix: F-41335r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Run all administrators in Admin Approval Mode" to "Enabled".

Checks: C-44879r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "User Account Control: Switch to the secure desktop when prompting for elevation" is not set to "Enabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: PromptOnSecureDesktop Value Type: REG_DWORD Value: 1

Fix: F-41336r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Switch to the secure desktop when prompting for elevation" to "Enabled".

Checks: C-44880r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "User Account Control: Virtualize file and registry write failures to per-user locations" is not set to "Enabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: EnableVirtualization Value Type: REG_DWORD Value: 1

Fix: F-41337r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Virtualize file and registry write failures to per-user locations" to "Enabled".

Checks: C-44881r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Microsoft\Windows\CurrentVersion\Policies\CredUI Value Name: EnumerateAdministrators Type: REG_DWORD Value: 0

Fix: F-41338r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Credential User Interface -> "Enumerate administrator accounts on elevation" to "Disabled".

Checks: C-44882r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: DisablePasswordSaving Type: REG_DWORD Value: 1

Fix: F-41339r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Connection Client -> "Do not allow passwords to be saved" to "Enabled".

Checks: C-62235r2_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fDenyTSConnections Value Type: REG_DWORD Value: 1 If Remote Desktop Services for remote administration is necessary, enabling this would not be a finding. Restricted Admin mode must be used. This must be document with the ISSO. See Microsoft article KB2871997 for patches required to add this function to systems prior to Windows 8.1. Restricted Admin mode for Remote Desktop Connections can be implemented for each session using a command line switch to start the Remote Desktop Client or through a group policy to enable it for all sessions. The command line to do this is "mstsc /restrictedadmin". To enable this with group policy, configure the policy value for Computer Configuration >> Administrative Templates >> System >> Credentials Delegation >> "Restrict delegation of credentials to remote servers" to "Enabled".

Fix: F-67151r3_fix

Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Remote Desktop Services >> Remote Desktop Session Host >> Connections >> "Allow users to connect remotely by using Remote Desktop Services" to "Disabled". If Remote Desktop Services for remote administration is necessary, enabling this would not be a finding. Restricted Admin mode must be used. This must be document with the ISSO. See Microsoft article KB2871997 for patches required to add this function to systems prior to Windows 8.1. Restricted Admin mode for Remote Desktop Connections can be implemented for each session using a command line switch to start the Remote Desktop Client or through a group policy to enable it for all sessions. The command line to do this is "mstsc /restrictedadmin". To enable this with group policy, configure the policy value for Computer Configuration >> Administrative Templates >> System >> Credentials Delegation >> "Restrict delegation of credentials to remote servers" to "Enabled".

Checks: C-44884r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Windows NT\Terminal Services\ Value Name: fDisableCdm Type: REG_DWORD Value: 1

Fix: F-41341r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Remote Desktop Services -> Remote Desktop Session Host -> Device and Resource Redirection -> "Do not allow drive redirection" to "Enabled".

Checks: C-44886r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Windows NT\Rpc\ Value Name: RestrictRemoteClients Type: REG_DWORD Value: 1

Fix: F-41343r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Remote Procedure Call -> "Restrict Unauthenticated RPC clients" to "Enabled" and "Authenticated".

Checks: C-44889r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: NoWebServices Type: REG_DWORD Value: 1

Fix: F-41346r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication settings -> "Turn off Internet download for Web publishing and online ordering wizards" to "Enabled".

Checks: C-44892r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Windows NT\Printers\ Value Name: DisableHTTPPrinting Type: REG_DWORD Value: 1

Fix: F-41349r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication settings -> "Turn off printing over HTTP" to "Enabled".

Checks: C-44893r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Windows NT\Printers\ Value Name: DisableWebPnPDownload Type: REG_DWORD Value: 1

Fix: F-41350r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication settings -> "Turn off downloading of print drivers over HTTP" to "Enabled".

Checks: C-44894r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Windows\DriverSearching\ Value Name: DontSearchWindowsUpdate Type: REG_DWORD Value: 1

Fix: F-41351r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication settings -> "Turn off Windows Update device driver searching" to "Enabled".

Checks: C-44895r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Subkey: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ Value Name: SaveZoneInformation Type: REG_DWORD Value: 2

Fix: F-41352r1_fix

Configure the policy value for User Configuration -> Administrative Templates -> Windows Components -> Attachment Manager -> "Do not preserve zone information in file attachments" to "Disabled".

Checks: C-44896r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Subkey: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ Value Name: HideZoneInfoOnProperties Type: REG_DWORD Value: 1

Fix: F-41353r1_fix

Configure the policy value for User Configuration -> Administrative Templates -> Windows Components -> Attachment Manager -> "Hide mechanisms to remove zone information" to "Enabled".

Checks: C-44897r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Subkey: \Software\Microsoft\Windows\CurrentVersion\Policies\Attachments\ Value Name: ScanWithAntiVirus Type: REG_DWORD Value: 3

Fix: F-41354r1_fix

Configure the policy value for User Configuration -> Administrative Templates -> Windows Components -> Attachment Manager -> "Notify antivirus programs when opening attachments" to "Enabled".

Checks: C-73951r2_chk

Run "Services.msc". Verify the McAfee Agent service is running, depending on the version installed. Version - Service Name McAfee Agent v5.x - McAfee Agent Service McAfee Agent v4.x - McAfee Framework Service If the service is not listed or does not have a Status of "Started", this is a finding.

Fix: F-41355r1_fix

Deploy the McAfee Agent as detailed in accordance with the DoD HBSS STIG.

Checks: C-44899r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Peernet\ Value Name: Disabled Type: REG_DWORD Value: 1

Fix: F-41356r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Microsoft Peer-to-Peer Networking Services -> "Turn Off Microsoft Peer-to-Peer Networking Services" to "Enabled".

Checks: C-44900r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Windows\Network Connections\ Value Name: NC_AllowNetBridge_NLA Type: REG_DWORD Value: 0

Fix: F-41357r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Network Connections -> "Prohibit installation and configuration of Network Bridge on your DNS domain network" to "Enabled".

Checks: C-44904r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: NoInternetOpenWith Type: REG_DWORD Value: 1

Fix: F-41361r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication settings -> "Turn off Internet File Association service" to "Enabled".

Checks: C-44908r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Internet Explorer\Feeds\ Value Name: DisableEnclosureDownload Type: REG_DWORD Value: 1

Fix: F-41365r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> RSS Feeds -> "Prevent downloading of enclosures" to "Enabled".

Checks: C-44909r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: PreXPSP2ShellProtocolBehavior Type: REG_DWORD Value: 0

Fix: F-41366r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> File Explorer -> "Turn off shell protocol protected mode" to "Disabled".

Checks: C-44910r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Windows\Installer\ Value Name: SafeForScripting Type: REG_DWORD Value: 0

Fix: F-41367r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Installer -> "Prevent Internet Explorer security prompt for Windows Installer scripts" to "Disabled".

Checks: C-44911r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Windows\Installer\ Value Name: EnableUserControl Type: REG_DWORD Value: 0

Fix: F-41368r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Installer -> "Allow user control over installs" to "Disabled".

Checks: C-44914r1_chk

If the following registry values do not exist or are not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Windows\LLTD\ Value Name: AllowLLTDIOOndomain Value Name: AllowLLTDIOOnPublicNet Value Name: EnableLLTDIO Value Name: ProhibitLLTDIOOnPrivateNet Type: REG_DWORD Value: 0

Fix: F-41371r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Link-Layer Topology Discovery -> "Turn on Mapper I/O (LLTDIO) driver" to "Disabled".

Checks: C-44915r1_chk

If the following registry values do not exist or are not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Windows\LLTD\ Value Name: AllowRspndrOndomain Value Name: AllowRspndrOnPublicNet Value Name: EnableRspndr Value Name: ProhibitRspndrOnPrivateNet Type: REG_DWORD Value: 0

Fix: F-41372r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Link-Layer Topology Discovery -> "Turn on Responder (RSPNDR) driver" to "Disabled".

Checks: C-44916r1_chk

If the following registry values do not exist or are not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Windows\WCN\Registrars\ Value Name: DisableFlashConfigRegistrar Value Name: DisableInBand802DOT11Registrar Value Name: DisableUPnPRegistrar Value Name: DisableWPDRegistrar Value Name: EnableRegistrars Type: REG_DWORD Value: 0

Fix: F-41373r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Windows Connect Now -> "Configuration of wireless settings using Windows Connect Now" to "Disabled".

Checks: C-44917r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Windows\WCN\UI\ Value Name: DisableWcnUi Type: REG_DWORD Value: 1

Fix: F-41374r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> Network -> Windows Connect Now -> "Prohibit Access of the Windows Connect Now wizards" to "Enabled".

Checks: C-44918r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Windows\DeviceInstall\Settings\ Value Name: AllowRemoteRPC Type: REG_DWORD Value: 0

Fix: F-41375r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Device Installation -> "Allow remote access to the Plug and Play interface" to "Disabled".

Checks: C-44923r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ Value Name: DCSettingIndex Type: REG_DWORD Value: 1

Fix: F-41380r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Power Management -> Sleep Settings -> "Require a password when a computer wakes (on battery)" to "Enabled".

Checks: C-44924r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Power\PowerSettings\0e796bdb-100d-47d6-a2d5-f7d2daa51f51\ Value Name: ACSettingIndex Type: REG_DWORD Value: 1

Fix: F-41381r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Power Management -> Sleep Settings -> "Require a password when a computer wakes (plugged in)" to "Enabled".

Checks: C-44927r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Windows\Windows Search\ Value Name: AllowIndexingEncryptedStoresOrItems Type: REG_DWORD Value: 0

Fix: F-41384r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Search -> "Allow indexing of encrypted files" to "Disabled".

Checks: C-57987r1_chk

If the following registry value exists and is set to "1" (Basic) or "2" (Advanced), this is a finding. If the following registry value does not exist, this is not a finding. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Policies\Microsoft\Windows Defender\Spynet\ Value Name: SpyNetReporting Type: REG_DWORD Value: 1 or 2 = a Finding

Fix: F-71645r1_fix

Configure the policy value for Computer Configuration >> Administrative Templates >> Windows Components >> Windows Defender >> MAPS >> "Join Microsoft MAPS" to "Disabled".

Checks: C-44934r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\WMDRM\ Value Name: DisableOnline Type: REG_DWORD Value: 1

Fix: F-41391r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> Windows Media Digital Rights Management -> "Prevent Windows Media DRM Internet Access" to "Enabled".

Checks: C-44935r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Subkey: \Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\ Value Name: NoInPlaceSharing Type: REG_DWORD Value: 1

Fix: F-41392r1_fix

Configure the policy value for User Configuration -> Administrative Templates -> Windows Components -> Network Sharing -> "Prevent users from sharing files within their profile" to "Enabled".

Checks: C-44936r2_chk

Search all drives for *.p12 and *.pfx files. If any files with these extensions exist, this is a finding. This does not apply to server-based applications that have a requirement for .p12 certificate files (e.g., Oracle Wallet Manager). Some applications create files with extensions of .p12 that are NOT certificate installation files. Removal of non-certificate installation files from systems is not required. These must be documented with the ISSO.

Fix: F-41393r1_fix

Remove any certificate installation files (*.p12 and *.pfx) found on a system. Note: This does not apply to server-based applications that have a requirement for .p12 certificate files (e.g., Oracle Wallet Manager).

Checks: C-44937r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "User Account Control: Only elevate executables that are signed and validated" is not set to "Disabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \Software\Microsoft\Windows\CurrentVersion\Policies\System\ Value Name: ValidateAdminCodeSignatures Value Type: REG_DWORD Value: 0

Fix: F-41394r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "User Account Control: Only elevate executables that are signed and validated" to "Disabled".

Checks: C-44938r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\SQMClient\Windows\ Value Name: CEIPEnable Type: REG_DWORD Value: 0

Fix: F-41395r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication Settings -> "Turn off Windows Customer Experience Improvement Program" to "Enabled".

Checks: C-44939r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Subkey: \Software\Policies\Microsoft\Assistance\Client\1.0\ Value Name: NoImplicitFeedback Type: REG_DWORD Value: 1

Fix: F-41396r1_fix

Configure the policy value for User Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication Settings -> "Turn off Help Experience Improvement Program" to "Enabled".

Checks: C-44940r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Accounts: Administrator account status" is not set to "Disabled", this is a finding.

Fix: F-41397r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Accounts: Administrator account status" to "Disabled".

Checks: C-44941r1_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_CURRENT_USER Subkey: \Software\Policies\Microsoft\Assistance\Client\1.0\ Value Name: NoExplicitFeedback Type: REG_DWORD Value: 1

Fix: F-41398r1_fix

Configure the policy value for User Configuration -> Administrative Templates -> System -> Internet Communication Management -> Internet Communication Settings -> "Turn off Help Ratings" to "Enabled".

Checks: C-45085r2_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Microsoft network server: Server SPN target name validation level" is not set to "Accept if provided by client", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \System\CurrentControlSet\Services\LanmanServer\Parameters\ Value Name: SmbServerNameHardeningLevel Type: REG_DWORD Value: 1

Fix: F-41547r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Microsoft network server: Server SPN target name validation level" to "Accept if provided by client".

Checks: C-45088r2_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Network Security: Allow Local System to use computer identity for NTLM" is not set to "Enabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \System\CurrentControlSet\Control\LSA\ Value Name: UseMachineId Type: REG_DWORD Value: 1

Fix: F-41550r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network Security: Allow Local System to use computer identity for NTLM" to "Enabled".

Checks: C-45091r2_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Network Security: Allow LocalSystem NULL session fallback" is not set to "Disabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \System\CurrentControlSet\Control\LSA\MSV1_0\ Value Name: allownullsessionfallback Type: REG_DWORD Value: 0

Fix: F-41553r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network Security: Allow LocalSystem NULL session fallback" to "Disabled".

Checks: C-45093r2_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> Security Options. If the value for "Network Security: Allow PKU2U authentication requests to this computer to use online identities" is not set to "Disabled", this is a finding. The policy referenced configures the following registry value: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \System\CurrentControlSet\Control\LSA\pku2u\ Value Name: AllowOnlineID Type: REG_DWORD Value: 0

Fix: F-41555r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> Security Options -> "Network Security: Allow PKU2U authentication requests to this computer to use online identities" to "Disabled".

Checks: C-78965r2_chk

Review the value to the following registry key to verify the DES_CBC_CRC and DES_CBC_MD5 encryption suites are not allowed. Registry Hive: HKEY_LOCAL_MACHINE Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\Parameters\ Value Name: SupportedEncryptionTypes Type: REG_DWORD The values are determined by the selection of encryption suites in the policy "Network Security: Configure encryption types allowed for Kerberos". Due to the various possible combinations, it is not possible to include all acceptable values as viewed directly in the registry. The value must be converted to binary to determine configuration of specific bits. This will determine whether this is a finding. Note the value for the registry key. For example when all suites, including the DES suites are selected, the value will be "0x7fffffff (2147483647)". Open the Windows calculator (Run "calc". This is the classic Windows calculator not the Windows Store calculator app.) Select "View", then "Programmer". Select "Dword" and either "Hex" or "Dec". Enter the appropriate form of the value found for the registry key (e.g., Hex - enter 0x7fffffff, Dec - enter 2147483647). Select "Bin". The returned value may vary in length, up to 32 characters. If either of the 2 right most characters are "1", this is a finding. If both of the 2 right most characters are "0", this is not a finding.

Fix: F-86123r1_fix

Configure the policy for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> Security Options >> "Network security: Configure encryption types allowed for Kerberos" to "Enabled" with only the following selected: RC4_HMAC_MD5 AES128_HMAC_SHA1 AES256_HMAC_SHA1 Future encryption types Options such as RC4_HMAC_MD5 may also be excluded to align with STIGs for later Windows versions.

Checks: C-45140r2_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Windows\Homegroup\ Value Name: DisableHomeGroup Type: REG_DWORD Value: 1

Fix: F-41603r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> HomeGroup -> "Prevent the computer from joining a homegroup" to "Enabled".

Checks: C-45142r2_chk

If the following registry value does not exist or is not configured as specified, this is a finding: Registry Hive: HKEY_LOCAL_MACHINE Subkey: \Software\Policies\Microsoft\Windows\Explorer\ Value Name: NoDataExecutionPrevention Type: REG_DWORD Value: 0

Fix: F-41607r1_fix

Configure the policy value for Computer Configuration -> Administrative Templates -> Windows Components -> File Explorer -> "Turn off Data Execution Prevention for Explorer" to "Disabled".

Checks: C-45164r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> User Rights Assignment. If any accounts or groups are granted the "Access Credential Manager as a trusted caller" user right, this is a finding.

Fix: F-41636r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Access Credential Manager as a trusted caller" to be defined but containing no entries (blank).

Checks: C-78089r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies >> User Rights Assignment. If any accounts or groups other than the following are granted the "Access this computer from the network" user right, this is a finding: Administrators If a domain application account such as for a management tool requires this user right, this would not be a finding. Vendor documentation must support the requirement for having the user right. The requirement must be documented with the ISSO. The application account, managed at the domain level, must meet requirements for application account passwords, such as length and frequency of changes as defined in the Windows server STIGs.

Fix: F-41639r2_fix

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Access this computer from the network" to only include the following accounts or groups: Administrators

Checks: C-49424r2_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> User Rights Assignment. If any accounts or groups other than the following are granted the "Allow log on locally" user right, this is a finding: Administrators Users Systems dedicated to managing Active Directory (AD admin platforms), must only allow Administrators, removing the Users group.

Fix: F-49516r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Allow log on locally" to only include the following accounts or groups: Administrators Users Systems dedicated to managing Active Directory (AD admin platforms), must only allow Administrators, removing the Users group.

Checks: C-62231r2_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies >> User Rights Assignment. If any accounts or groups are granted the "Allow log on through Remote Desktop Services" user right, this is a finding. Administrators may be granted this user right if Remote Desktop Services is necessary for remote administration. Restricted Admin mode must be used. This must be document with the ISSO. See Microsoft article KB2871997 for patches required to add this function to systems prior to Windows 8.1. Restricted Admin mode for Remote Desktop Connections can be implemented for each session using a command line switch to start the Remote Desktop Client or through a group policy to enable it for all sessions. The command line to do this is "mstsc /restrictedadmin". To enable this with group policy, configure the policy value for Computer Configuration >> Administrative Templates >> System >> Credentials Delegation >> "Restrict delegation of credentials to remote servers" to "Enabled".

Fix: F-67147r2_fix

Configure the policy value for Computer Configuration >> Windows Settings >> Security Settings >> Local Policies >> User Rights Assignment >> "Allow log on through Remote Desktop Services" to be defined but containing no entries (blank). Administrators may be granted this user right if Remote Desktop Services is necessary for remote administration. Restricted Admin mode must be used. This must be document with the ISSO. See Microsoft article KB2871997 for patches required to add this function to systems prior to Windows 8.1. Restricted Admin mode for Remote Desktop Connections can be implemented for each session using a command line switch to start the Remote Desktop Client or through a group policy to enable it for all sessions. The command line to do this is "mstsc /restrictedadmin". To enable this with group policy, configure the policy value for Computer Configuration >> Administrative Templates >> System >> Credentials Delegation >> "Restrict delegation of credentials to remote servers" to "Enabled".

Checks: C-45176r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> User Rights Assignment. If any accounts or groups other than the following are granted the "Back up files and directories" user right, this is a finding: Administrators

Fix: F-41648r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Back up files and directories" to only include the following accounts or groups: Administrators

Checks: C-45178r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> User Rights Assignment. If any accounts or groups other than the following are granted the "Change the system time" user right, this is a finding: Administrators Local Service

Fix: F-41650r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Change the system time" to only include the following accounts or groups: Administrators Local Service

Checks: C-45181r2_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> User Rights Assignment. If any accounts or groups other than the following are granted the "Create a pagefile" user right, this is a finding: Administrators

Fix: F-41653r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Create a pagefile" to only include the following accounts or groups: Administrators

Checks: C-45183r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> User Rights Assignment. If any accounts or groups other than the following are granted the "Create global objects" user right, this is a finding: Administrators Service Local Service Network Service

Fix: F-41655r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Create global objects" to only include the following accounts or groups: Administrators Service Local Service Network Service

Checks: C-45148r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> User Rights Assignment. If any accounts or groups are granted the "Create permanent shared objects" user right, this is a finding.

Fix: F-41614r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Create permanent shared objects" to be defined but containing no entries (blank).

Checks: C-45150r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> User Rights Assignment. If any accounts or groups other than the following are granted the "Create symbolic links" user right, this is a finding: Administrators

Fix: F-41616r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Create symbolic links" to only include the following accounts or groups: Administrators

Checks: C-45152r2_chk

Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> User Rights Assignment. If the following accounts or groups are not defined for the "Deny log on as a batch job" right, this is a finding: Domain Systems Only: Enterprise Admin Group Domain Admin Group All Systems: Guests Group

Fix: F-41619r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Deny log on as a batch job" to include the following. Domain Systems Only: Enterprise Admin Group Domain Admin Group All Systems: Guests Group

Checks: C-45153r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> User Rights Assignment. If the following accounts or groups are not defined for the "Deny log on as a service" right on domain joined systems, this is a finding: Enterprise Admin Group Domain Admin Group If any accounts or groups are defined for the "Deny log on as a service" right on non-domain joined systems, this is a finding.

Fix: F-41626r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Deny log on as a service" to include the following for domain joined systems. Enterprise Admin Group Domain Admin Group Configure the "Deny log on as a service" for non-domain systems to include no entries (blank).

Checks: C-45873r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> User Rights Assignment. If the following accounts or groups are not defined for the "Deny log on locally" right, this is a finding. Domain Systems Only: Enterprise Admins Group Domain Admins Group Workstations dedicated to the management of Active Directory (see V-36436 in the Active Directory Domain STIG) are exempt from this. All Systems: Guests Group

Fix: F-43264r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Deny log on locally" to include the following. Domain Systems Only: Enterprise Admins Group Domain Admins Group Workstations dedicated to the management of Active Directory (see V-36436 in the Active Directory Domain STIG) are exempt from this. All Systems: Guests Group

Checks: C-66299r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> User Rights Assignment. If the following accounts or groups are not defined for the "Deny log on through Remote Desktop Services" right, this is a finding: If Remote Desktop Services is not used by the organization, the Everyone group can replace all of the groups listed below. Domain Systems Only: Enterprise Admin group Domain Admin group Local account (see Note below) All Systems: Guests group Systems dedicated to the management of Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG) are exempt from denying the Enterprise Admins and Domain Admins groups. Note: "Local account" is a built-in security group used to assign user rights and permissions to all local accounts.

Fix: F-71687r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Deny log on through Remote Desktop" to include the following. If Remote Desktop Services is not used by the organization, assign the Everyone group this right to prevent all access. Domain Systems Only: Enterprise Admins group Domain Admins group Local account (see Note below) All Systems: Guests group Systems dedicated to the management of Active Directory (AD admin platforms, see V-36436 in the Active Directory Domain STIG) are exempt from denying the Enterprise Admins and Domain Admins groups. Note: "Local account" is a built-in security group used to assign user rights and permissions to all local accounts.

Checks: C-45179r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> User Rights Assignment. If any accounts or groups are granted the "Enable computer and user accounts to be trusted for delegation" user right, this is a finding.

Fix: F-41651r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Enable computer and user accounts to be trusted for delegation" to be defined but containing no entries (blank).

Checks: C-45184r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> User Rights Assignment. If any accounts or groups other than the following are granted the "Force shutdown from a remote system" user right, this is a finding: Administrators

Fix: F-41656r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Force shutdown from a remote system" to only include the following accounts or groups: Administrators

Checks: C-45185r1_chk

Analyze the system using the Security Configuration and Analysis snap-in. (See "Performing Analysis with the Security Configuration and Analysis Snap-in" in the STIG Overview document.) Expand the Security Configuration and Analysis tree view. Navigate to Local Policies -> User Rights Assignment. If any accounts or groups other than the following are granted the "Generate security audits" user right, this is a finding: Local Service Network Service

Fix: F-41657r1_fix

Configure the policy value for Computer Configuration -> Windows Settings -> Security Settings -> Local Policies -> User Rights Assignment -> "Generate security audits" to only include the following accounts or groups: Local Service Network Service

Checks: C-45186r1_chk